Gérard LADIER Airbus / Aerospace Valley

Slides:



Advertisements
Similar presentations
Gérard Ladier Airbus France 11/2003
Advertisements

Requirements Engineering Processes – 2
Software Requirements
© 2005 by Prentice Hall Chapter 13 Finalizing Design Specifications Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F. George.
1 System Engineers Toolbox 1 Compliance Automation, Inc. INCOSE: NM Enchantment Chapter By Cheryl Hill August 12, 2009.
1 Welcome Safety Regulatory Function Handbook April 2006.
By Rick Clements Software Testing 101 By Rick Clements
The Managing Authority –Keystone of the Control System
Configuration management
Effectively applying ISO9001:2000 clauses 6 and 7.
AS9102 First Article Inspection Report
Software Testing Strategies
Testing Workflow Purpose
Checking & Corrective Action
Component-Based Software Engineering Main issues: assemble systems out of (reusable) components compatibility of components.
Software Change Impact Analysis
Software Processes.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software processes 2.
Lecture 8: Testing, Verification and Validation
Lecture 5: Requirements Engineering
Internal Control–Integrated Framework
Safety Critical Systems and Certification Issues DO-178B Airborne Standard
System Integration Verification and Validation
Lecture # 2 : Process Models
Computer Engineering 203 R Smith Requirements Management 6/ Requirements IEEE Standard Glossary A condition or capability needed by a user to solve.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
SE 555 Software Requirements & Specification Requirements Validation.
1 Software Requirements Specification Lecture 14.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Acquiring Information Systems and Applications
Software Considerations in Airborne Systems
Effective Methods for Software and Systems Integration
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
S/W Project Management
Commercial Database Applications Testing. Test Plan Testing Strategy Testing Planning Testing Design (covered in other modules) Unit Testing (covered.
Extreme Programming Software Development Written by Sanjay Kumar.
Introduction to Software Quality Assurance (SQA)
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
Chapter 2 The process Process, Methods, and Tools
CLEANROOM SOFTWARE ENGINEERING.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
Product Development Chapter 6. Definitions needed: Verification: The process of evaluating compliance to regulations, standards, or specifications.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
This chapter is extracted from Sommerville’s slides. Text book chapter
Software Development Cycle What is Software? Instructions (computer programs) that when executed provide desired function and performance Data structures.
ISO 9001:2008 to ISO 9001:2015 Summary of Changes
1 FRENCH PROPOSAL FOR ESARR6 1 - BACKGROUND - 15/02/00 : Kick-off meeting, Presentation of the CAA/SRG input (SW01), Request from the chairman to comment.
CMSC 345 Fall 2000 Requirements Overview. Work with customers to elicit requirements by asking questions, demonstrating similar systems, developing prototypes,
Lecture 13.  Failure mode: when team understands requirements but is unable to meet them.  To ensure that you are building the right system Continually.
The common structure and ISO 9001:2015 additions
Software Requirements Specification Document (SRS)
HNDIT23082 Lecture 09:Software Testing. Validations and Verification Validation and verification ( V & V ) is the name given to the checking and analysis.
Lectures 2 & 3: Software Process Models Neelam Gupta.
ISO 9001:2015 Subject: Quality Management System Clause 8 - Operation
What is a software? Computer Software, or just Software, is the collection of computer programs and related data that provide the instructions telling.
Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.
 System Requirement Specification and System Planning.
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Software Project Configuration Management
CSC 480 Software Engineering
Software Requirements
Lecture 09:Software Testing
QGen and TQL-1 Qualification
Verification and Validation Unit Testing
QGen and TQL Qualification
Baisc Of Software Testing
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
First Article Inspection
Presentation transcript:

ladier@aerospace-valley.com 09/2010 Gérard LADIER Airbus / Aerospace Valley Software aspects of aeronautical certification and static analysis tools

Equipment Rules (JAR/FAR 25-1309) “Essential” equipment must be designed to perform its intended functions The airplane systems and associated components, considered separately and in relation to other systems, must be designed so that : The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable, and The occurrence of any other failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable ...

Software Means of conformance It is in general not feasible to assess the number or kinds of software errors , if any, that may remain after the completion of system design, development, and test. DO - 178B/ED 12B, provides acceptable means for assessing and controlling the software used to program digital computer based systems ” Software

First principle We can’t get clean water from a dirty pipe Þ We can’t get clean water from a dirty pipe Evidences are requested on the pipe …

DO-178/ED-12 : evidences on the pipe … “DO-178B/ED-12B is primarily a process-oriented document” => Set of requirements on the processes (dev., verif, etc.) and their outputs “The occurrence of any failure condition which would prevent the continued safe flight and landing of the airplane is extremely improbable” => Evidences on the fulfilment of these requirements vary depending on the software “criticality” level

Life cycle and processes Definition of separate processes that will be combined for a given project to describe its life cycle: Planning process (organization/plans rather than scheduling) Development process (specification, design, coding, integration) Integral processes (verification, configuration management, quality assurance, certification liaison process). Define for each process: The Assurance objectives The means of achieving those objectives The process input data The process activities The process products The transition criteria, which must be met in order to proceed

Main common requirements on the developement processes Standards must be written and evidences of compliance with the rules should be provided Rules ? Dozen of documents Define precisely how to perform an activity (methods, means, constraints, expected outputs, etc. consistent precise tracable Each requirement or design item should be developed verifiable

Configuration management & Quality Assurance To assist in satisfying general objectives to: Control configuration of the software throughout the software life cycle Be able to replicate the executable object code Control process inputs and outputs during the software life cycle Provide baselines for review, assessment and change control Ensure problems management and change control Ensure archiving and recovery. To provide evidences that: What’s done is what’s described in plans Transition criteria are reached A conformity review of the software is conducted Main characteristics : Independence Active role during the life cycle process

Tools qualification -1 Necessary when processes required by the rest of the document are eliminated, reduced or automated by the use of a deterministic software tool whose outputs are not verified. 3 qualification criteria depending on the risk associated to the tool usage : Criteria 1 : Development Tool Criteria 3 : verification tool Criteria 2 : Verification tool which could have an impact on the resulting software : used to justify the elimination or reduction of: Verification process other than that automated by the tool, or Development process which could have an impact on the resulting software

Tools qualification - 2 Combination of the qualification criteria with the software level to give the Tool Qualification Level: Two distinct roles are defined : The user The developper He defines his needs (Tool Operational Requirements-TOR) and validate the tool in its usage context He defines his development specification (Tool Requirement-TR), develops the tool and provides the life cycle data Sharing of activities between these two roles are defined for COTS tools(11.3)

Tools qualification - 3 Qualification requirements : TQL 1, 2 et 3 : TQL 4 ones + « implementation » requirements : Depending on the level of the final product software developed with the tool TQL 4 : TQL 5 ones + «project management» requirements : TOR reviews (complete, accurate, and consistent) Definition of processes in plans Definition of the TR and verification / TOR Verification of the tool / TR et requirements coverage Configuration and change managements TQL 5 : «contracting authority» requirements, mainly concentrated in the TOR : Table T-0 defining all the “user” requirements including the validation of the tool versus the need expressed in the “avionics” PSAC Plus one requirement : «Impact of known problems on the TOR »

Second principe A clean pipe may not deliver clean water Þ Filters are piled to detect and eliminate impurities

Verification Basic principles: The most important section of DO-178/ED-12, in term of : volume : 13 pages of description ( ~ 5 pages for other processes ) Workload incurred (A380 : 4 lines of test for line of embedded code …) Basic principles: “Integral” process => applies to all the development processes Combination of : Reviews , Analysis Tests to detect and identify errors introduced during development

Reviews ? Analysis ? Tests ? Three major tools for bug-busters : Review : inspection of a product by an independant (level A) person; qualitative evaluation Analysis : detailed examination of a process, potentially done by a tool quantitative evaluation Test : running the software and comparison of actual outputs to expected ones Functional test NO TEST BASED ON CODE STRUCTURE Functional & Structural coverage analysis

DO-178/ED-12 - The verification process System Requirements High-Level Software Architecture Source Code Executable Object Code (A-2: 3, 4, 5) (A-2: 7) (A-2: 6) (A-2: 1, 2) Low-Level A-3.2 Accuracy & Consistency A-3.3 HW Compatibility A-3.4 Verifiability A-3.5 Conformance A-3.7 Algorithm Accuracy A-3.1 Compliance A-3.6 Traceability Compliance: with requirements Conformance: with standards A-6.5 Compatible With Target A-6.3 Compliance A-6.4 Robustness A-6.1 Compliance A-6.2 Robustness A7 Verification of verification (Functional & Structural coverage) A-4.1 Compliance A-4.6 Traceability A-4. 8 Architecture Compatibility A-4.9 Consistency A-4.10 HW Compatibility A-4.11 Verifiability A-4.12 Conformance A-4.13 Partition Integrity A-4.2 Accuracy & Consistency A-4.3 HW Compatibility A-4.4 Verifiability A-4.5 Conformance A-4.7 Algorithm Accuracy A-5.1 Compliance A-5.5 Traceability A-5.2 Compliance A-5.3 Verifiability A-5.4 Conformance A-5.6 Accuracy & Consistency A-5. 7 Complete & Correct

Third principe Þ Potentially opposite interests are at stake Independant authorities assess the process and product

The ED-12B/DO-178B - certification liaison Objective: ensure effective communication/understanding between the applicant and the certification authorities Means: The Plan for Software Aspects of Certification, given to the Authorities as early as possible Reviews carried out by the certification authorities “software” specialists as much as they want Software Accomplishment Summary and Software Configuration Index.

Fourth principe Þ All the interests but must be taken into account to build a recognized set of requirements DO-178/ED-12 is built and updated by all the concerned specialists and actors

Consensus on requirements Joint meetings between the RTCA SC-205 EUROCAE WG-71 Openness, consensus : More than 1200 people registered on the WEB site about 120 attendees in each meeting : aircraft manufacturers, engine makers, equipment suppliers, authorities, scientists and consultants The final text has to be agreed by each of the attendees

DO-248C/ED-94C FAQ/DP/RATIONALE Supplement A Supplement B Supplement … ...Supplement N Interface Spec DO-248C/ED-94C FAQ/DP/RATIONALE DO-278A / ED-109A The « core document » will be completed by supplements : Supplement –guidance used in conjunction with DO-178C/ED-12C that addresses the unique nature of a specific technology or a specific method. A supplement adds, deletes or otherwise modifies: objectives, activities, explanatory text, and software life cycle data in DO-178C/ED-12C. This structuring principle enables incremental future development of software requirements Il est difficile de décrire les objectifs de safety qu’un cycle de développement de logiciel doit atteindre, sans être prescriptif sur les moyens. Ex : le test de logiciel est un moyen, pas un objectif, et il est pourtant requis dans le DO-178B Dès qu’on est prescriptif sur les moyens, on se fait un jour ou l’autre rattraper par une évolution technologique qui rend la prescription difficile à suivre. Ex : remplacement du test par des méthodes formelles de vérification sur certains logiciels de l’A380 Pour la version C (fin 2010), il a été décidé de toucher le moins possible au cœur du DO-178/ED-12 mais de lui adjoindre des suppléments pour prendre en compte les évolutions passées et futurs du Génie Logiciel

The DO-178C/ED-12C : evolution of the content Major improvements are in the supplements : Object Oriented technology Model Based Development Formal Method Technology Tools Qualification In the core document : Basically clarification and improvement in consistency and accuracy. Except for the tool qualification part : Separation of the «why ?» part (>in the core doc) from the «how ?» part (>supplement) Significant evolution of the « why ? »

Formal Methods Technology supplement The FM introductory section insists on the interest of using FM for verification The FA (Formal Analysis) may completely replace : Reviews & analysis (except for validation of « derived requirements ») Conformance test versus /HLR et /LLR Software integration tests Robustness tests FA may help for the verification of compatibility with the hardware FA cannot replace HW/SW integration test The structural coverage objectives are achieved if it can be demonstrated that : Each requirement is completely covered The set of requirements is complete in regards of the attended function There is no non expected dependences between output and input data There is no dead code

Þ Fitfh principe Only requirements are mandatory, not the means Building the « pipe » is to be dealt with by the suppliers

Which industrial use for Static Analysis tools ? Today

Not so frequent …

How to convince certification Authorities ? Example of the “unit level proof of LLR” Discussion with Cert. Auth. software specialists much before the actual use of the tool, to get a general feedback (go/no go) Demonstration of the soundness of the approach Definition of specific rules and standards Demonstration of the completeness of the properties Definition of LLR as pseudo-code + properties Smooth integration in the overall verif./traceability processes Detect and eliminate dead code Verify the executable code Qualify the tool (verification ++ tool)

Which industrial use for Static Analysis tools ? Tomorrow …

Tomorrow … 1 Proof of absence of Real Time Execution error : ASTREE (ENS/ABSINT) For effective certification credit Precision of Floating-point calculus : Fluctuat (CEA) : Abstract Interpretation based; analysis of C or assembly code Safe computation of the numerical (rounding) errors introduced by basic operators or input filtering code In use by Airbus for evaluation : Research prototype for the C language Pre-industrial prototype for the TMS320C33 assembly language

Tomorrow … 2 Validation of the compilation Lcertify (ENS) : Research activity in Airbus Compcert (INRIA) : Industrial prototype available Efficient compilation of a complete subset of the A380 fly-by- wire software Other “translation validation tools” would be highly desirable (e.g. Scade -> C) Various analysis of C code : FRAMA-C (CEA) : Plugin WP to succeed CAVEAT Plugin TASTER for syntaxic control (coding rules enforcement) Plugin for data flow/control flow verification, coming soon

Special thanks … To the co-chairs of the fantastic formal methods SG of the DO- 178C joint committee: Kelly Hayhurst (NASA) Duncan Brown (Rolls Royce) To the Airbus Formal Methods dream team : Famantanantsoa Randimbivololona Jean Souyris David Delmas And to Hervé Delseny from Airbus, who liaised both … Made on http://www.wordle.net

The end Made on http://www.wordle.net

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.